Google faces EU crackdown over privacy violations

January 2012's privacy policy comes under fire.

The EU is considering a "co-ordinated crackdown" on Google after it ignored requests from regulators to delay the imposition of its new privacy policy until they had cleared it for compliance with data protection law.

The policy was announced last January (though it only came into effect in March), and allowed Google to mix personal data from all its subsidiaries, particularly Youtube, which had hitherto been cordoned off. The new internal user profiles this enabled the company to create are of great value to advertisers, but the company also trumpeted the improved experience it could offer users, saying at the time:

Our privacy policies have always allowed us to combine information from different products with your account — effectively using your data to provide you with a better service. However, we’ve been restricted in our ability to combine your YouTube and search histories with other information in your account. Our new privacy policy gets rid of those inconsistencies so we can make more of your information available to you when using Google.

The EU didn't agree, and asked the company to hold off implementation until it had held an investigation on whether it complied with EU data protection law. The probe, which began in mid-March, finally reported back in October, and found that the new policy did indeed breach EU law. The French data protection commission, the CNIL, which led the investigation, had recommended a number of changes, such as easier opt-outs for advertising. But the company insists its policy already complies with EU law.

As a result, the CNIL is organising a co-ordinated response to Google, since, as the head of the commission told the Wall Street Journal on Monday, "we're better armed when we speak with one voice than when each country takes its own steps".

The EU hasn't played the situation brilliantly. The fact that its investigation only reported back in October, over six months after it began, is proof of severe regulatory overreach; and it would have been an unnecessary and unsupportable restraint on Google to have asked it to hold off on what was a major business decision for that entire period.

Nonetheless, Google appears to be continuing a trend amongst Silicon Valley — exemplified by Facebook in its squabble with the Irish data protection commission over facial recognition data — of assuming that the regulations of the countries it operates in don't apply to it. The EU has considerably stricter data protection laws than the US, and while some of them, such as the ill-fated cookie directive, are worthy of being ignored, others provide genuine protection for the consumer.

Google maintains that "we have engaged fully with the CNIL throughout this process and will continue to do so," but the EU's privacy group will vote on whether to take action against the company at the end of February.